CAS documentation has moved over to jasig.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

Background

The purpose of the LPPE module is to detect a number of scenarios that would otherwise prevent user authentication, specifically using an Ldap instance as the primary source of user accounts.

These scenarios are currently supported by the module:

Ldap Error Code

Ldap Error Description

CAS Authentication Behavior

530

Invalid login time

Displays a message upon authentication that the user cannot login at the current time

533

Account is disabled

Displays a message upon authentication that the account has been disabled and user would need to contact an administrator.

773

Must change password

Displays a message upon authentication that the account password must be changed and provides a link to a self-service password management application.

775

Account is locked

Displays a message upon authentication that the account has been disabled and user would need to contact an administrator.

531

Invalid workstation

Displays a message upon authentication that the user cannot login from the current workstation

701 OR 532

Password has expired

Displays a message upon authentication that the account password has expired and provides a link to a self-service password management application.

Without LPPE in place, the above scenarios would be considered as errors that will prevent authentication in a very generic way through the normal CAS login flow. LPPE intercepts the authentication flow,

detecting the above standard error codes (that are returned as part of the Ldap response payload) . Error codes are then translated into proper messages in the CAS login flow and would allow the user

to take proper action, fully explaining the nature of the problem.

In addition, LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured Ldap attributes with default values in place.

Though the above table lists standard ldap error codes, LPPE has only been extensively tested against Active Directory. The functionality has yet to be tested and validated against an Open Ldap instance.

Source

The LPPE module ships with CAS by default as of CAS v3.5. The code is mostly a part of the Ldap module with additional configuration merged inside the CAS webapps module.

Configuration

LPPE is turned off by default. In order to configure the module with your account policy, please follow the below steps:

Test

To exercise the LPPE features, attempt to login to CAS using an account with an expired password, or one whose password is about to expire based on your policy settings. The login flow should switch you to a proper state indicating the nature of the problem.